Non-interactive logins
Manger, James H
James.H.Manger at team.telstra.com
Wed Jul 16 05:09:12 UTC 2008
Hi Anders,
There has been some work on this important issue, though it seems to have been dormant for a while.
There seem to be two proposals (by Martin Atkins) using OpenID as an HTTP authentication mechanism. It is suitable for non-browser, non-interactive use cases.
http://wiki.openid.net/OpenIDHTTPAuth
http://wiki.openid.net/OpenID_HTTP_Authentication
I really like the idea of this basic flow:
1. RP indicates it supports OpenID with WWW-Authenticate: OpenID header;
2. App interacts with the app's OP;
2. App sends OpenID authentication response to RP in Authorization header;
3. RP performs discovery;
4. RP does direct verification with OP.
App --GET xxx--> RP
<--401 WWW-Authenticate: OpenID realm="..."--
App <----> OP [if necessary]
App --GET xxx Authorization: OpenID <opened-auth-request-stuff>--> RP
RP --GET <claimed_id>-->
<--discovery XRDS/HTML--
RP --POST ...openid.mode=check_authentication--> OP
<--is_valid=true--
App <--200 content--
More information about the specs
mailing list